Skip to main content
SecurityPlus
SecurityPlus
Explorer III
March 1, 2016
Question

How Can I Block Computers Access To Other LAN Computers; Only Allow Access To WAN?

  • March 1, 2016
  • 1 reply
  • 15457 views

I'm sure that the answer to this question is simple but I can't find the solution after some looking.

 

We in the past set up a FortiGate firewall with FortiAP's. On the SSID configuration used for guest wireless we selected to Block Intra-SSID Traffic.

 

This time we have the same objective, but the equipment and topology are different. We're using a FortiGate 100D, the ports are in Interface mode. Port2 is connected to a switch. The switch connects to wired computers and to old un-managed Netgear WAP's. The FortiGate is handling DHCP. All of the computers on this Port2 are on the same subnet. There is one policy that allows communication from Port2 to WAN1. Because each of the wireless and wired users are guests we don't want any intra-subnet traffic. We only want the computers and wireless devices to access the WAN only. I have not been able to confirm if intra-subnet traffic is blocked as the network is remote but I don't know why it would be. How do we block intra-subnet traffic? What am I missing?

 

Thanks!

    1 reply

    emnoc
    emnoc
    New Member
    March 1, 2016

    If the switch is connected via port2 you can't block intra-lan. Think about it, the switch is the access. Now you can look at private-vlans if the switch support this ( most cisco switches that are layer3 can btw and a few others )

     

    If your thinking of using the layer3 firewall to block intra-lan traffic, while that's not doable.

    ede_pfau
    SuperUser
    ede_pfau
    SuperUser
    March 1, 2016

    No way for the firewall to control traffic that doesn't even flow across it - your LAN and WiFi hosts share a common LAN segment without any interference of the firewall.

    With VLAN capable switches (Netgear Smart Switches are small, cheap and web manageable) you could set your LAN clients into a VLAN, terminate it at the FGT and then you have 2 separate networks.

    SecurityPlus
    SecurityPlusAuthor
    Explorer III
    March 1, 2016

    Sorry that I asked such a simple question. Thank you both for reminding me of what I should have known.

    Terms & ConditionsAccessibility statement